Research by an NGO specializing in the defense of privacy removes the veils from an all-Italian malware designed to spy on and intercept Android users
There's an Android virus made in Italy running on the Play Store: it's called Exodus and is contained in about twenty infected apps, which have already been downloaded and used by a thousand people. It is said to have been produced by the eSurf company of Catanzaro, specialized in surveillance systems and that in the past has had contracts with Italian law enforcement agencies.
This is what emerges from a report by the NGO Security Without Borders, which specializes in cyber attacks and protecting the privacy of human, political and social rights activists, and has worked in collaboration with Motherboard magazine.
What Exodus does, the malware that intercepts Italians
The NGO's in-depth report shows that the main purpose of the Exodus malware is to collect information about the user of the infected smartphone. The malicious code, in fact, can rake in a bit of everything: list of installed applications, ambient audio recorded with the phone's microphone, browsing history and bookmarks from Chrome and SBrowser (the browser of Samsung phones), calendar events, call log, record phone calls, take pictures with the camera, information about phone cells, extract the address book, Facebook contact list, logs from Messenger conversations, take screenshots of any featured application, extract image information from Gallery, extract information from Gmail, contacts and messages from Skype app, recover all SMS messages and messages and encryption key from Telegram, Viber Messenger data and logs from WhatsApp, but also recover files exchanged with WhatsApp, password of Wi-Fi network you are connected to, WeChat data and even GPS coordinates of your phone.
What apps are infected by Exodus
The Exodus malware has been inoculated in at least twenty apps, all Italian and in Italian language, regularly uploaded to the Play Store, whose filters have not detected any threat to the user. From a first reconnaissance carried out by Bufale.net these ten apps are definitely infected: Line Assistance, Special Offers, Personalized Phone Offers, Premium Phone Services, Offers for You, Reactivate Line Assistance, Operator Italy, Promo Offers, SIM Assistance and Phone Offers for You. The virus has been running since at least 2016, so it's possible that there are other infected apps that have yet to be discovered. Google has reportedly already removed all infected apps from its Store.
How Exodus virus works
The Exodus infection starts by downloading and installing one of the infected apps. The virus has two stages, named "Exodus 1" and "Exodus 2", the first one is in charge of reading the IMEI code of the cell phone and communicating it to the Command & Control server. This behavior would suggest that it is a malware programmed to spy on a specific number of users, a scenario compatible with a Police interception.
But in reality Security Without Borders has discovered that even if the IMEI sent is that of a new disposable cell phone, activated only for testing purposes, Exodus activates itself anyway by downloading the second Exodus 2 package that contains the real virus that starts tracking our behavior. Among the serious risks Exodus poses is also the fact that, either intentionally or due to incorrect programming, it leaves several ports open and makes the smartphone vulnerable to anyone connected to the same Wi-Fi network and (perhaps) even to the same cell of the mobile operator.
Why does Exodus also affect normal users?
In the last few hours a heated debate has been opened about this virus: if it is true, as all signs would suggest, that it is a virus created to perform in-depth environmental interceptions, how come it has been inoculated into apps that can be freely downloaded by everyone from Google's official store? The most widespread hypothesis is also the least reassuring: it was put on the Play Store so that it could be tested before using it in official investigations. In recent hours has arrived the comment on this story by the Guarantor of Privacy Antonello Soro: "The news of the interception of hundreds of citizens completely unrelated to judicial investigations, for a mere error in the operation of a computer receiver used for investigative purposes, raises great concern and will be the subject of due diligence, including by the Guarantor, for its own competence.
How to defend yourself against the Exodus virus
If in the past you have downloaded one of the infected apps then it is almost certain that your smartphone is infected and that Exodus is collecting a huge amount of data about you. To remove the virus you need to use a good antivirus updated to the latest version. The problem. however, is that the existence of this malware has been made known as of recently and therefore it is not certain that the most popular antivirus will be able to detect Exodus.